WP-Safety

Quttera ThreatSign – Web Malware Scanner for WordPress Security & Risk Analysis

wordpress.org/plugins/quttera-web-malware-scanner

WordPress multi-level security scanner detecting malware, 0-day threats, brute-force attacks, bot attacks, and unauthorized admin changes.

10K active installs v4.0.0.3 PHP 7.2+ WP 3.3.2+ Updated Mar 12, 2026
card-skimmermalware-removalmalware-scannerthreat-detectionwordpress-security
98
A · Safe
CVEs total3
Unpatched0
Last CVEAug 14, 2025
Plugin page Download
Safety Verdict

Is Quttera ThreatSign – Web Malware Scanner for WordPress Safe to Use in 2026?

Generally Safe

Score 98/100

Quttera ThreatSign – Web Malware Scanner for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Aug 14, 2025Updated 22d ago
Risk Assessment

The quttera-web-malware-scanner plugin exhibits a concerning security posture, primarily due to its substantial attack surface lacking proper authentication. With 31 unprotected AJAX handlers, a vast majority of its entry points are exposed, making it a prime target for unauthorized access and execution of arbitrary actions. The presence of dangerous functions like 'unserialize' and 'exec' further exacerbates this risk, as they can be exploited to execute malicious code if untrusted input is processed. While the plugin has a history of medium and low severity vulnerabilities, including SSRF, sensitive information exposure, and path traversal, the absence of currently unpatched CVEs is a positive sign. However, the taint analysis revealing two flows with unsanitized paths is a critical concern, suggesting potential for directory traversal or similar exploits even with the historical vulnerabilities addressed.

Key Concerns

  • Large attack surface without authentication
  • Dangerous functions (unserialize, exec) used
  • Flows with unsanitized paths
  • Medium severity CVE history
  • Low severity CVE history
  • Limited nonce checks
  • Output not always properly escaped
Vulnerabilities
3

Quttera ThreatSign – Web Malware Scanner for WordPress Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2
Low
1

3 total CVEs

CVE-2025-8013low · 3.8Server-Side Request Forgery (SSRF)

Quttera Web Malware Scanner <= 3.5.1.41 - Authenticated (Administrator+) Server-Side Request Forgery

Aug 14, 2025 Patched in 3.5.2.1 (1d)
CVE-2023-6065medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Quttera Web Malware Scanner <= 3.4.1.48 - Sensitive Data Exposure

Nov 21, 2023 Patched in 3.4.2.1 (63d)
CVE-2023-6222medium · 6.8Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Quttera Web Malware Scanner <= 3.4.1.48 - Authenticated (Administrator+) Directory Traversal via ShowFile

Nov 21, 2023 Patched in 3.4.2.1 (63d)
Code Analysis
Analyzed Mar 16, 2026

Quttera ThreatSign – Web Malware Scanner for WordPress Code Analysis

Dangerous Functions
4
Raw SQL Queries
16
24 prepared
Unescaped Output
105
218 escaped
Nonce Checks
1
Capability Checks
13
File Operations
32
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$list = unserialize($dump, ['allowed_classes' => false]);qtrFsSnapShot.php:153
unserializereturn unserialize($str, ['allowed_classes' => false]);qtrOptions.php:41
execexec("TASKLIST /FO LIST /FI \"PID eq $pid\"", $out);qtrScanLock.php:153
unserialize$data = unserialize($serialized, ['allowed_classes' => false]);qtrSettings.php:1042

Bundled Libraries

jQuery

SQL Query Safety

60% prepared40 total queries

Output Escaping

67% escaped323 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
qtr_wm_scanner_ajax_run_scan (quttera_wm_scanner.php:383)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
31 unprotected

Quttera ThreatSign – Web Malware Scanner for WordPress Attack Surface

Entry Points31
Unprotected31

AJAX Handlers 31

authwp_ajax_scanner-run_scanquttera_wm_scanner.php:91
authwp_ajax_scanner-run_internal_scanquttera_wm_scanner.php:97
authwp_ajax_scanner-run_heur_internal_scanquttera_wm_scanner.php:99
authwp_ajax_scanner-settingsquttera_wm_scanner.php:101
authwp_ajax_scanner-is_internal_scan_runningquttera_wm_scanner.php:103
authwp_ajax_scanner-is_external_scan_runningquttera_wm_scanner.php:105
authwp_ajax_scanner-get_log_linesquttera_wm_scanner.php:107
authwp_ajax_scanner-clean_logquttera_wm_scanner.php:109
authwp_ajax_scanner-get_statsquttera_wm_scanner.php:111
authwp_ajax_scanner-stop_internal_scanquttera_wm_scanner.php:113
authwp_ajax_scanner-get_detected_threatsquttera_wm_scanner.php:115
authwp_ajax_scanner-get_ignored_threatsquttera_wm_scanner.php:117
authwp_ajax_scanner-ignore_threatquttera_wm_scanner.php:119
authwp_ajax_scanner-get_file_reportquttera_wm_scanner.php:121
authwp_ajax_scanner-show_filequttera_wm_scanner.php:123
authwp_ajax_scanner-unignore_threatquttera_wm_scanner.php:128
authwp_ajax_scanner-clean_ignore_listquttera_wm_scanner.php:130
authwp_ajax_scanner-acknowledge_alarmquttera_wm_scanner.php:132
authwp_ajax_scanner-get-alarmsquttera_wm_scanner.php:134
authwp_ajax_scanner-whitelist_threatquttera_wm_scanner.php:136
authwp_ajax_scanner-clean_threats_whitelistquttera_wm_scanner.php:138
authwp_ajax_scanner-get-bruteforce-blocked-ipsquttera_wm_scanner.php:141
authwp_ajax_scanner-remove-bruteforce-blocked-ipquttera_wm_scanner.php:142
authwp_ajax_scanner-clear-all-bruteforce-blocked-ipsquttera_wm_scanner.php:143
authwp_ajax_scanner-get-bot-protection-blocked-ipsquttera_wm_scanner.php:146
authwp_ajax_scanner-remove-bot-protection-blocked-ipquttera_wm_scanner.php:147
authwp_ajax_scanner-clear-all-bot-protection-blocked-ipsquttera_wm_scanner.php:148
authwp_ajax_scanner-get-bruteforce-statsquttera_wm_scanner.php:151
authwp_ajax_scanner-get-botprotection-statsquttera_wm_scanner.php:152
authwp_ajax_scanner-whitelist_filequttera_wm_scanner.php:155
authwp_ajax_scanner-clean_files_whitelistquttera_wm_scanner.php:157
WordPress Hooks 31
filtercron_schedulesqtrAdminUsersMonitor.php:58
actionadmin_initqtrAdminUsersMonitor.php:79
actionuser_registerqtrAdminUsersMonitor.php:83
actionset_user_roleqtrAdminUsersMonitor.php:84
actiondelete_userqtrAdminUsersMonitor.php:85
actiondeleted_userqtrAdminUsersMonitor.php:86
filtercron_schedulesqtrAjaxHandler.php:48
actionqtr_internal_scan_cron_hookqtrAjaxHandler.php:53
actionqtr_heur_internal_scan_cron_hookqtrAjaxHandler.php:55
filterrest_authentication_errorsqtrBotProtection.php:173
actionxmlrpc_callqtrBotProtection.php:176
actionwp_loadedqtrBotProtection.php:179
actiontemplate_redirectqtrBotProtection.php:182
actioninitqtrBruteForce.php:123
filterauthenticateqtrBruteForce.php:127
actionwp_login_failedqtrBruteForce.php:128
actionwp_loginqtrBruteForce.php:129
actionxmlrpc_callqtrBruteForce.php:132
actioninitqtrBruteForce.php:135
actionwp_login_failedqtrLoginSecurity.php:36
actionwp_loginqtrLoginSecurity.php:37
actionqtr_hourly_login_checkqtrLoginSecurity.php:59
actionqtr_daily_login_summaryqtrLoginSecurity.php:60
actionadmin_enqueue_scriptsquttera_wm_scanner.php:42
actionadmin_menuquttera_wm_scanner.php:44
actionplugins_loadedquttera_wm_scanner.php:47
actionqtr_cleanup_expired_bot_blocksquttera_wm_scanner.php:67
actionqtr_bot_cleanup_databasequttera_wm_scanner.php:72
filtercron_schedulesquttera_wm_scanner.php:76
actionadmin_initquttera_wm_scanner.php:787
filterplugin_action_linksquttera_wm_scanner.php:801

Scheduled Events 6

qtr_internal_scan_cron_hook
qtr_heur_internal_scan_cron_hook
qtr_hourly_login_check
qtr_daily_login_summary
qtr_cleanup_expired_bot_blocks
qtr_bot_cleanup_database
Maintenance & Trust

Quttera ThreatSign – Web Malware Scanner for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.2
Downloads4.4M

Community Trust

Rating78/100
Number of ratings47
Active installs10K
Alternatives

Quttera ThreatSign – Web Malware Scanner for WordPress Alternatives

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

malcare-security

A
100

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K No CVEs
WebDefender Security – Protection & AntiSpam

WebDefender Security – Protection & AntiSpam

cwis-antivirus-malware-detected

A
100

PRO Security – Antivirus Scanner, 2-Layer Protection Hide Security, Brute Force Security & Antispam, Security Website and Security Hardening.

1K No CVEs
Bravo WP security Plugin

Bravo WP security Plugin

bravo-security

A
85

Bravo WP Security Plugin, Is a plugin helps you to hide wordpress side by side Bravo wordpress firewall, wordpress antivirus (wordpress malware scanne &hellip;

10 No CVEs
Content Guard Pro – Database Malware Scanner & Spam Detector

Content Guard Pro – Database Malware Scanner & Spam Detector

content-guard-pro

A
100

Scan your WordPress database for hidden malware, spam links, and SEO injections that file-based security plugins miss. Gutenberg-aware.

0 No CVEs
VulnTitan – Malware Scanner, Vulnerability Scanner & Security

VulnTitan – Malware Scanner, Vulnerability Scanner & Security

vulntitan

A
100

VulnTitan security toolkit for WordPress sites. Detect and remove malware, vulnerable plugins, risky file changes, and comment spam.

0 No CVEs
Developer Profile

Quttera ThreatSign – Web Malware Scanner for WordPress Developer Profile

quttera

1 plugin · 10K total installs

87
trust score
Avg Security Score
98/100
Avg Patch Time
42 days
View full developer profile
Detection Fingerprints

How We Detect Quttera ThreatSign – Web Malware Scanner for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/quttera-web-malware-scanner/CSS/bootstrap.min.css

HTML / DOM Fingerprints

HTML Comments
<!-- FIXME - this image should be moved to wp.quttera.com -->
Data Attributes
data-quttera-actiondata-quttera-params
JS Globals
QutteraScannerAJAX
REST Endpoints
/wp-json/quttera-wm-scanner/v1/settings
FAQ

Frequently Asked Questions about Quttera ThreatSign – Web Malware Scanner for WordPress